From owner-freebsd-pkgbase@freebsd.org Wed Jun 29 23:51:08 2016 Return-Path: Delivered-To: freebsd-pkgbase@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0AC74B8707C for ; Wed, 29 Jun 2016 23:51:08 +0000 (UTC) (envelope-from bounces+73574-3a9d-freebsd-pkgbase=freebsd.org@sendgrid.net) Received: from o1.l99.sendgrid.net (o1.l99.sendgrid.net [198.37.153.74]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 920BC29AB for ; Wed, 29 Jun 2016 23:51:06 +0000 (UTC) (envelope-from bounces+73574-3a9d-freebsd-pkgbase=freebsd.org@sendgrid.net) DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sendgrid.info; h=subject:to:references:cc:from:mime-version:in-reply-to:content-type:content-transfer-encoding; s=smtpapi; bh=LVEhe34MRQWDaD6WltqyYc3xiHs=; b=eHFPmYTy9UXmKrL3b5 JVRVCF46wvRjDYUX+ChXht4fWTM6vNC1MVGjC3YLAKSU5iAcLB203BWNL8szYUBh 4XBi1HO6GJNXK+udpbpoIDwWX/nXu6BNXKYmPF91rLXc19mE1VSs0CKABm6g+EcW yFU0zMPg5i2vka+L7f/Jgw1/s= Received: by filter0626p1mdw1.sendgrid.net with SMTP id filter0626p1mdw1.24311.57745EE045 2016-06-29 23:50:56.890488773 +0000 UTC Received: from mail.tarsnap.com (ec2-54-86-246-204.compute-1.amazonaws.com [54.86.246.204]) by ismtpd0005p1iad1.sendgrid.net (SG) with ESMTP id ZLS9BROwTYe-xcrT7UkXGw for ; Wed, 29 Jun 2016 23:50:56.872 +0000 (UTC) Received: (qmail 11077 invoked from network); 29 Jun 2016 23:50:09 -0000 Received: from unknown (HELO clamshell.daemonology.net) (127.0.0.1) by ec2-107-20-205-189.compute-1.amazonaws.com with ESMTP; 29 Jun 2016 23:50:09 -0000 Received: (qmail 96623 invoked from network); 29 Jun 2016 23:50:55 -0000 Received: from unknown (HELO clamshell.daemonology.net) (127.0.0.1) by clamshell.daemonology.net with SMTP; 29 Jun 2016 23:50:55 -0000 Subject: Re: Are signatures of system images verified? To: Bryan Drewery , Yuri References: <2cde3a9e-8b4d-8c5e-408a-053710986e29@rawbw.com> <20160629213252.GI1453@FreeBSD.org> <5f72274d-6932-fbf2-8abd-86a865aec0d1@rawbw.com> <20160629215944.GJ1453@FreeBSD.org> <7ac94438-4d39-2695-7b79-9ce04373e7e1@rawbw.com> <20160629230324.GL1453@FreeBSD.org> <5d642659-944b-d65d-9fc9-2aeab36acd98@FreeBSD.org> Cc: freebsd-pkgbase@FreeBSD.org From: Colin Percival Message-ID: Date: Wed, 29 Jun 2016 16:50:55 -0700 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:45.0) Gecko/20100101 Thunderbird/45.1.0 MIME-Version: 1.0 In-Reply-To: <5d642659-944b-d65d-9fc9-2aeab36acd98@FreeBSD.org> Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: 7bit X-SG-EID: Vb+Anvs0EfIvXbjCHlZrgVCEQbdxnz7CQucQDM1ZDb2kLJcxBcHpBzLx3PdjNbWAfgx5gxRf2/m8R0 BpkFh/bRN6rbxpYS7LQbxBOT2/5t8kc0jVkD0bHYRXbLO/jlx+CsE2nMzZjfWPPBF7/UFm9bSuB68i hxgrlDO9PMkW8WHqn2uYSxEbLtBdsjEWuT0E/hWryEuxApxQHWBZ0rsXc6aOoR6ZLp4zOyLkRQy2+t s= X-BeenThere: freebsd-pkgbase@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "Packaging the FreeBSD base system." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 29 Jun 2016 23:51:08 -0000 On 06/29/16 16:38, Bryan Drewery wrote: > Around that time (January 2016), Colin Percival has been maintaining a > copy of the MANIFESTS in ports-mgmt/poudriere as well. For the record, I obtained these files by downloading the release ISOs, verifying their hashes against the signed release announcements, and then extracting the MANIFEST files from the ISOs, and I intend to do this for future releases as well. I think the consensus was that this was a better option than adding "commit MANIFEST files to the ports tree" to the already very lengthy release engineering checklist, but of course I'd have no objection to handing over this task if re@ wanted it for some reason. :-) > Those get > installed with Poudriere and used during jail -c after fetching if > available, so that relying on https isn't required. These were missing > for ports-mgmt/poudriere-devel until just now. I've moved them to > misc/freebsd-release-manifests and made both ports depend on it. Sounds good. -- Colin Percival Security Officer Emeritus, FreeBSD | The power to serve Founder, Tarsnap | www.tarsnap.com | Online backups for the truly paranoid